3v4l.org

run code in 300+ PHP versions simultaneously
<?php $xml = <<<XML <!DOCTYPE root [ <!ENTITY attack SYSTEM "config/config.ini"> <!ENTITY ent SYSTEM "entities/ent.txt"> ]> <xml> &attack; &ent; </xml> XML; // emulate existing local file mkdir('/tmp/entities/'); file_put_contents('/tmp/entities/ent.txt', 'OK ENTITY'); libxml_set_external_entity_loader( function (?string $public, ?string $system, array $context) { $path = realpath('/tmp' . $system); if ($public === null && $path !== null && str_starts_with($path, '/tmp/entities/')) { $resolved = file_get_contents('/tmp' . $system); } else { $resolved = 'nice try but no'; } $f = fopen('php://temp', 'r+'); fwrite($f, $resolved); rewind($f); return $f; } ); $doc = new DOMDocument; $doc->loadXML($xml, LIBXML_NOENT); echo $doc->saveXML(); ?>
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 62) Position 1 = -2
filename:       /in/fpedv
function name:  (null)
number of ops:  23
compiled vars:  !0 = $xml, !1 = $doc
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
    2     0  E >   ASSIGN                                                   !0, '%3C%21DOCTYPE+root+%5B%0A++++%3C%21ENTITY+attack+SYSTEM+%22config%2Fconfig.ini%22%3E%0A++++%3C%21ENTITY+ent+SYSTEM+%22entities%2Fent.txt%22%3E%0A%5D%3E%0A%3Cxml%3E%0A++++%26attack%3B%0A++++%26ent%3B%0A%3C%2Fxml%3E'
   14     1        INIT_FCALL                                               'mkdir'
          2        SEND_VAL                                                 '%2Ftmp%2Fentities%2F'
          3        DO_ICALL                                                 
   15     4        INIT_FCALL                                               'file_put_contents'
          5        SEND_VAL                                                 '%2Ftmp%2Fentities%2Fent.txt'
          6        SEND_VAL                                                 'OK+ENTITY'
          7        DO_ICALL                                                 
   17     8        INIT_FCALL                                               'libxml_set_external_entity_loader'
   18     9        DECLARE_LAMBDA_FUNCTION                          ~5      [0]
   29    10        SEND_VAL                                                 ~5
   17    11        DO_ICALL                                                 
   32    12        NEW                                              $7      'DOMDocument'
         13        DO_FCALL                                      0          
         14        ASSIGN                                                   !1, $7
   33    15        INIT_METHOD_CALL                                         !1, 'loadXML'
         16        SEND_VAR_EX                                              !0
         17        SEND_VAL_EX                                              2
         18        DO_FCALL                                      0          
   34    19        INIT_METHOD_CALL                                         !1, 'saveXML'
         20        DO_FCALL                                      0  $11     
         21        ECHO                                                     $11
   35    22      > RETURN                                                   1


Dynamic Functions:
Dynamic Function 0
Finding entry points
Branch analysis from position: 0
2 jumps found. (Code = 46) Position 1 = 10, Position 2 = 12
Branch analysis from position: 10
2 jumps found. (Code = 46) Position 1 = 13, Position 2 = 18
Branch analysis from position: 13
2 jumps found. (Code = 43) Position 1 = 19, Position 2 = 25
Branch analysis from position: 19
1 jumps found. (Code = 42) Position 1 = 26
Branch analysis from position: 26
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 25
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 18
Branch analysis from position: 12
filename:       /in/fpedv
function name:  {closure}
number of ops:  40
compiled vars:  !0 = $public, !1 = $system, !2 = $context, !3 = $path, !4 = $resolved, !5 = $f
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
   18     0  E >   RECV                                             !0      
          1        RECV                                             !1      
          2        RECV                                             !2      
   19     3        INIT_FCALL                                               'realpath'
          4        CONCAT                                           ~6      '%2Ftmp', !1
          5        SEND_VAL                                                 ~6
          6        DO_ICALL                                         $7      
          7        ASSIGN                                                   !3, $7
   20     8        TYPE_CHECK                                    2  ~9      !0
          9      > JMPZ_EX                                          ~9      ~9, ->12
         10    >   TYPE_CHECK                                  1020  ~10     !3
         11        BOOL                                             ~9      ~10
         12    > > JMPZ_EX                                          ~9      ~9, ->18
         13    >   INIT_FCALL                                               'str_starts_with'
         14        SEND_VAR                                                 !3
         15        SEND_VAL                                                 '%2Ftmp%2Fentities%2F'
         16        DO_ICALL                                         $11     
         17        BOOL                                             ~9      $11
         18    > > JMPZ                                                     ~9, ->25
   21    19    >   INIT_FCALL                                               'file_get_contents'
         20        CONCAT                                           ~12     '%2Ftmp', !1
         21        SEND_VAL                                                 ~12
         22        DO_ICALL                                         $13     
         23        ASSIGN                                                   !4, $13
   20    24      > JMP                                                      ->26
   23    25    >   ASSIGN                                                   !4, 'nice+try+but+no'
   25    26    >   INIT_FCALL                                               'fopen'
         27        SEND_VAL                                                 'php%3A%2F%2Ftemp'
         28        SEND_VAL                                                 'r%2B'
         29        DO_ICALL                                         $16     
         30        ASSIGN                                                   !5, $16
   26    31        INIT_FCALL                                               'fwrite'
         32        SEND_VAR                                                 !5
         33        SEND_VAR                                                 !4
         34        DO_ICALL                                                 
   27    35        INIT_FCALL                                               'rewind'
         36        SEND_VAR                                                 !5
         37        DO_ICALL                                                 
   28    38      > RETURN                                                   !5
   29    39*     > RETURN                                                   null

End of Dynamic Function 0

Generated using Vulcan Logic Dumper, using php 8.0.0

preferences:
153.1 ms | 1016 KiB | 22 Q